IETF Logo Mail Archive

Re: [CFRG] Update of the AEGIS draft

John Mattsson <john.mattsson@ericsson.com> Fri, 14 April 2023 16:05 UTC

Return-Path: <john.mattsson@ericsson.com>
X-Original-To: cfrg@ietfa.amsl.com
Delivered-To: cfrg@ietfa.amsl.com
Received: from localhost (localhost [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 7440FC13AE2A for <cfrg@ietfa.amsl.com>; Fri, 14 Apr 2023 09:05:15 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -1.998
X-Spam-Level:
X-Spam-Status: No, score=-1.998 tagged_above=-999 required=5 tests=[BAYES_00=-1.9, DKIMWL_WL_HIGH=-0.001, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, DKIM_VALID_AU=-0.1, DKIM_VALID_EF=-0.1, HTML_MESSAGE=0.001, HTTPS_HTTP_MISMATCH=0.1, RCVD_IN_ZEN_BLOCKED_OPENDNS=0.001, SPF_PASS=-0.001, URIBL_DBL_BLOCKED_OPENDNS=0.001, URIBL_ZEN_BLOCKED_OPENDNS=0.001] autolearn=unavailable autolearn_force=no
Authentication-Results: ietfa.amsl.com (amavisd-new); dkim=pass (1024-bit key) header.d=ericsson.com
Received: from mail.ietf.org ([50.223.129.194]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id xj9yYVCHKqA8 for <cfrg@ietfa.amsl.com>; Fri, 14 Apr 2023 09:05:11 -0700 (PDT)
Received: from EUR01-HE1-obe.outbound.protection.outlook.com (mail-he1eur01on0604.outbound.protection.outlook.com [IPv6:2a01:111:f400:fe1e::604]) (using TLSv1.2 with cipher ECDHE-RSA-AES256-GCM-SHA384 (256/256 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id 0DA11C151B39 for <cfrg@irtf.org>; Fri, 14 Apr 2023 09:05:10 -0700 (PDT)
ARC-Seal: i=1; a=rsa-sha256; s=arcselector9901; d=microsoft.com; cv=none; b=EaEN42n9KFtRngIKtJ0aGFlD8Q/Tom1kupl1ts3gEjnQ7yxcekkYO4EGWonR3PqIvi7XZEn1maG0+gL7a7ANusEdxfIZ+4mOk/wjzt2UW+k4SpqrR+PnwAwQInGekzUcqyajEAzxxaj++r++r0DxY2FjxgG6Mx2UTW9JhuCmG7Za/s/FooOIP0bQGhZO9usxKMeWi+/8SVlLdCHWZs7oOQ2Ri5jXgDx6s0FomrLwiF6XP5ItE8cLVnFyclA++cZVoEUWh7VQvz7nZg3FkDrPWIUnhJ2VUyWa3kWq9RMWtsvjj4am9XWZoLI8FFR4lMjsFeRRMIB2j7XXBRlEXuwH2w==
ARC-Message-Signature: i=1; a=rsa-sha256; c=relaxed/relaxed; d=microsoft.com; s=arcselector9901; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-AntiSpam-MessageData-ChunkCount:X-MS-Exchange-AntiSpam-MessageData-0:X-MS-Exchange-AntiSpam-MessageData-1; bh=S2QZ9fnm9uFgOMDeMccuczct0FGJMegHV+oBIIC8kyI=; b=WMhMVCR2+cvIr0uLfDsxy2ZsbTjMtTEis3D/b3MxyCrTf6vL1In2SfwOlgXWliRyY2LG9mtMnsW0sWh68XVIxx30BlKDkLLMo4Nc6gEQt3DATcV3/Iq/ArHI9GrQ5FPruKx4yx34JGNZFzVmYz57JPpxXUQleszoyC7BnZ1QnFPVFyGt6wWORMkzbtJTXmnyDrD68Eucg/canfvmErtaYcC6uXbVzgtOZAvkwyA73biv87BHSKNX+9S6KX8CUuBIyOXlAjgPcAknoZM9hzdOikP/tmJ7ZRcIq5qnjp9DtfzdoB7fecKGx+AVevyVzhAKuhx6zlQ563d7+NpznN504Q==
ARC-Authentication-Results: i=1; mx.microsoft.com 1; spf=pass smtp.mailfrom=ericsson.com; dmarc=pass action=none header.from=ericsson.com; dkim=pass header.d=ericsson.com; arc=none
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=ericsson.com; s=selector1; h=From:Date:Subject:Message-ID:Content-Type:MIME-Version:X-MS-Exchange-SenderADCheck; bh=S2QZ9fnm9uFgOMDeMccuczct0FGJMegHV+oBIIC8kyI=; b=fJvIUy/3gcEcDBFW3uc4fz7wO9eMGUkFqN+RoAcBLv6H3lx+LWQGyZ6D1NokwmRPa23vtA3zjMGCI1Q8VZv+p1rd5UUpet2qy3Boi12s1xFIyBcntq3Kgx0nqvQL8yGfwZnk99MALv7kXXc6jStJ0ARMLl2DHGiIvM0CmXTN6Os=
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com (2603:10a6:150:114::10) by AM8PR07MB8232.eurprd07.prod.outlook.com (2603:10a6:20b:327::11) with Microsoft SMTP Server (version=TLS1_2, cipher=TLS_ECDHE_RSA_WITH_AES_256_GCM_SHA384) id 15.20.6298.30; Fri, 14 Apr 2023 16:05:05 +0000
Received: from GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957]) by GVXPR07MB9678.eurprd07.prod.outlook.com ([fe80::47af:87d7:c8ce:1957%6]) with mapi id 15.20.6298.030; Fri, 14 Apr 2023 16:05:04 +0000
From: John Mattsson <john.mattsson@ericsson.com>
To: Frank Denis <cfrg=40pureftpd.org@dmarc.ietf.org>, IRTF CFRG <cfrg@irtf.org>
Thread-Topic: [CFRG] Update of the AEGIS draft
Thread-Index: AQHZbtkr5ysO7IP/IEmhQQTM1bRocq8q7SvC
Date: Fri, 14 Apr 2023 16:05:04 +0000
Message-ID: <GVXPR07MB96786B0EA4017D02EFAB75D389999@GVXPR07MB9678.eurprd07.prod.outlook.com>
References: <2F9EE079-3605-4451-BA69-99F12CE7AE38@pureftpd.org>
In-Reply-To: <2F9EE079-3605-4451-BA69-99F12CE7AE38@pureftpd.org>
Accept-Language: en-US
Content-Language: en-GB
X-MS-Has-Attach:
X-MS-TNEF-Correlator:
authentication-results: dkim=none (message not signed) header.d=none;dmarc=none action=none header.from=ericsson.com;
x-ms-publictraffictype: Email
x-ms-traffictypediagnostic: GVXPR07MB9678:EE_|AM8PR07MB8232:EE_
x-ms-office365-filtering-correlation-id: b08ce90c-c1d1-4dda-0a31-08db3d0202a8
x-ms-exchange-senderadcheck: 1
x-ms-exchange-antispam-relay: 0
x-microsoft-antispam: BCL:0;
x-microsoft-antispam-message-info: 6gLzQrDavQWyJwwwfsXMTxZh0F2jk6QJ/v/tgsQc1JcyziCHqiv6SQL3S3UCtX50l1JaHuNyueGkEZfTVE3/5H0rlcmBDyAOUHMrfs1HksygyC3dpVoLNyC5CIYudYPRzw4GmPGRIyaO9nOB96BltbMDyUI/3smIn3v7TTWPzzzYPqQv/xzcteiz5/AyZYoJ9HJUqm4XiiMSngNPZGpeDH8fh1L4xR5A7JeszsMUxRghTLCwdr/CN0taxSmu22jn0ph6xyRTnnSXE9BU5kmN/D+d8J26uJhMiFdt8/Fe5KR+DRqgIhvVww6W41bPUMDxSAA603LNJKwiPwubvw+VXaR8m8PuKsO7IYp46c4Ex54LVPuGm+V5kg9hKPIaqTzbS565JbkAmNH/vR8KrpJL4znJqThdXrAPwDrylWmAC9yAeGwNoPXGm29wL10EZtHCrbpWsM9aejoeqEaV4Rl5G9toMt9tztwaZrAVM86rWeXjvcD5AiJiwW+Rsf3iB/raiZn1SA0d/VQUmbNeFjZ/IDhuSZ/aKQG46RWsaUdpHJQpK9Fw2ydhT09g/+EHZAUFvr0cdGZH8KHNhz5g7R1ubfaBsiwALGOKUJZ1ZjbTv1xYh2CKmQv9Wlyz8PXpOIirR6WxlyMfXBhveRn66Xljww==
x-forefront-antispam-report: CIP:255.255.255.255; CTRY:; LANG:en; SCL:1; SRV:; IPV:NLI; SFV:NSPM; H:GVXPR07MB9678.eurprd07.prod.outlook.com; PTR:; CAT:NONE; SFS:(13230028)(4636009)(346002)(39860400002)(376002)(366004)(396003)(136003)(451199021)(76116006)(83380400001)(966005)(71200400001)(316002)(82960400001)(26005)(478600001)(6506007)(110136005)(186003)(7696005)(53546011)(9686003)(21615005)(5660300002)(52536014)(38100700002)(41300700001)(15650500001)(122000001)(44832011)(8936002)(66446008)(66556008)(66946007)(66476007)(64756008)(38070700005)(2906002)(166002)(55016003)(8676002)(86362001)(33656002); DIR:OUT; SFP:1101;
x-ms-exchange-antispam-messagedata-chunkcount: 1
x-ms-exchange-antispam-messagedata-0: ZuDiVoekvN0e9eDpEZdcrR5YvVYcYW+k51DVzozOBJfC/coK/VvQL8B56VSHQgW5HXK+/Ph5CHJ/aSVNjyeviEM81L+BeAMx3ZHhxbgf0NDVq2WsFE7RVO3lCEEgayjLjBHqPDLWo1nSNjFcK3XQwIBrOZGWXks7KNTnhMs7uRCNL9wwy7yeEiO1lO+/wfko5QsPEWuuOmE7r7bzvfOZ39sdksWv80LXPTNQmmRnqxTJsPSOzngc6duV3WQGb1uY57lRtoQotgjuB6/1g4nUGLzMzbK87t/vUwX/38WhztxV16rPdu5ZTYAruM5s9p95hY3G5hnYJ0f5QMT0tuS7fwtOMaW8yK3dVx5zA2wRhpvo59VNXoQS1UR6RG3avDTra9TZe37i0QuOXU6Dy/YMEOS7wuf0b/2GzpawK5YtTWLs0O6pKX2Lzm/kFBMkQnrUc0ej2DV+ZJQI4XLf8N8q2Ej9fpiX/7lxIcCLVc98eFaiEE6gnkrejqx2QeWRjlJHbL+M0nqvF/3A/bpGPQg05rtcCD89/njbClU432NkfqaiTKuFtTkiJYh8FLQs9RnPbWhxmxWee17n5C+gLZLcdPUuu/Gd8rp4ZpG0bvnPTQj4QEXI3/oI5wMPSTtw0ysxXp8mBUwe92A1hl7+m2KrYhBHteUboj97opOVAFA+YxJaCB3+AUwYyxOVsb06a+eGKhKRwzdlSO/ybvvJrWk7vBNEgDrlho1YHJeUaDievXe6jrDpdRkDxudrKov7+Y418rrD/fupvReOXFyE6iIpzsANVYvevLDHP0HyvQJlQgfZjPKjwEF6VGKZV/dtM3XoEAYdNDoXFLHeQx2uLlKs0kuFmRDC+h/zFFtJ3274i9WLklWQwsMTrFwR++azbxysWma/BVqfXjzksiw1Pz4vLv/MsVPi3SDYfbMmpUu/VIbFIVtBRIG6YqFX1Eo4EOCrypI8Mgir1jdCzUgzCFTHSuTQNnObpOGO+xz8VogyM7ulwx6csYsu1ds3KWITUKGhpBvfBjEB77db1/uQWn16Bu9mYt+tfSifwkIiev3NaClNCEBZ9OPvGWK+91hwX27yRmHnPz+uzihBJz+15A405Z5Ddk0KIEharCsEMY8RZ+OHAwCQSrxJ5Z1qPpOe+MbArp6hpkTdvHWyTJ9IjspAzQo1XPsLbFhB/zbfuD/NLhASFyxZZhd/xj7W+HjnEdbxWUdZzy9BkuV8Bio2+22CwKcl8S9RWvSRDGVx0vs/5BlRXxXrQ8sjYSXFgeDhcQICRYdibUqwNjk1CtzheiBe8AWD/wzzn4ARcCwPuO8bLYA8J9sJiidhTqb+nZO6q4f0IyqtGKwuJvZFsfDlUPVC8aslixBvAlP6FYBdMjflCwh8TQZI7Jn66xmUaqk+NsXFjIRSUpDNzA62TxmVz4hMrXuEgs1UtY3HJDShMWEO13GmITqaaudSBmcmI1O/YEDCt2QbscZcLZJFhWobtwNDhYBHrOZnrl6PJIBq+kqEFzciPtZ67Dn+199ohtbd13ycjmruKS3c0/jmkehiOnJkEue2oViTlY5B+RpNLuPWMKtaP4Wddp5L0xd9PCBJgsLWKLno2LelaXLejLFLY55J+uvG67XpkIsJdDkA8yhCBhU=
Content-Type: multipart/alternative; boundary="_000_GVXPR07MB96786B0EA4017D02EFAB75D389999GVXPR07MB9678eurp_"
MIME-Version: 1.0
X-OriginatorOrg: ericsson.com
X-MS-Exchange-CrossTenant-AuthAs: Internal
X-MS-Exchange-CrossTenant-AuthSource: GVXPR07MB9678.eurprd07.prod.outlook.com
X-MS-Exchange-CrossTenant-Network-Message-Id: b08ce90c-c1d1-4dda-0a31-08db3d0202a8
X-MS-Exchange-CrossTenant-originalarrivaltime: 14 Apr 2023 16:05:04.6735 (UTC)
X-MS-Exchange-CrossTenant-fromentityheader: Hosted
X-MS-Exchange-CrossTenant-id: 92e84ceb-fbfd-47ab-be52-080c6b87953f
X-MS-Exchange-CrossTenant-mailboxtype: HOSTED
X-MS-Exchange-CrossTenant-userprincipalname: fdSpW83F/iEt2whsw8mY10AR99TB4SlJV43cXvdSy8f9rcHE1G4iK/w741wWXwPxwI5FoheSo3y5dH4Ex1+KGQoZrcOXFD8/EJ2mIdyqwyA=
X-MS-Exchange-Transport-CrossTenantHeadersStamped: AM8PR07MB8232
Archived-At: <https://mailarchive.ietf.org/arch/msg/cfrg/0LwxI7tyKTQAdR9ZA6IMwsPVHq8>
Subject: Re: [CFRG] Update of the AEGIS draft
X-BeenThere: cfrg@irtf.org
X-Mailman-Version: 2.1.39
Precedence: list
List-Id: Crypto Forum Research Group <cfrg.irtf.org>
List-Unsubscribe: <https://www.irtf.org/mailman/options/cfrg>, <mailto:cfrg-request@irtf.org?subject=unsubscribe>
List-Archive: <https://mailarchive.ietf.org/arch/browse/cfrg/>
List-Post: <mailto:cfrg@irtf.org>
List-Help: <mailto:cfrg-request@irtf.org?subject=help>
List-Subscribe: <https://www.irtf.org/mailman/listinfo/cfrg>, <mailto:cfrg-request@irtf.org?subject=subscribe>
X-List-Received-Date: Fri, 14 Apr 2023 16:05:15 -0000

Review of draft-irtf-cfrg-aegis-aead-02

Hi,

Thanks for driving this work! I have always been very supportive of this work. Reading and providing comments on the NIST SP 800-38 series during the last year has made me even more supportive. I think AEGIS fills several important requirements that are missing from current AEAD algorithms, espcially high-performance on commodity CPUs as well as large nonces. I hope the authors will submit AEGIS to the upcoming NIST workshop on encryption modes.

I think the draft seems in a very good state. Some comments:

- Title: Titles of RFCs should be capitalized according to RFC 7322, i.e., change to "The AEGIS Family of Authenticated Encryption Algorithms"

- Abstract: I think the abstract should mention all the nice high level properties: support of large nonces, large plaintexts, key commitment…

- Abstract: I think you should remove "It is not an IETF product and is not a standard." All needed text is automatically added to the RFC.

- "With AEGIS-128L, random nonces can safely encrypt up to 2^48 messages
   using the same key with negligible collision probability."

  Not sure 2^-33 is always considered negligible. Maybe good to inform the reader that after n messages the collision probability is n^2 / 2^129. I assume 2^48 was chosen to align with the NIST required 2^-32 probability for GCM.

- IANA Considerations: How do I use AEGIS in QUIC and DTLS 1.3? Code points have been registered for TLS 1.3, which means that AEGIS can be used for TLS 1.3. It can however not be used for QUIC, DTLS 1.3, and cTLS as that requires standardization of how to do the QUIC and DTLS 1.3 Header Protection. What is the plan for that? I think this should be done very soon. Should that be done it this draft or a separate draft? Happy to help write such a separate draft/drafts if needed. The IANA registry says "DTLS-OK = Y", but that is only true for DTLS 1.2. How to encrypt the DTLS 1.3 header when TLS_AEGIS_256_SHA384 or TLS_AEGIS_128L_SHA256 is used is not specified. I would also like to see AEGIS being Recommended = 'Y' in the future. Unless done in this draft, I think a TLS WG draft should be processed in parallel with the CFRG draft doing these three things:

1. Recommended = 'Y'
2. How to encrypt DTLS 1.3 headers
3. How to encrypt QUIC headers

Cheers,
John

From: CFRG <cfrg-bounces@irtf.org> on behalf of Frank Denis <cfrg=40pureftpd.org@dmarc.ietf.org>
Date: Friday, 14 April 2023 at 15:58
To: IRTF CFRG <cfrg@irtf.org>
Subject: [CFRG] Update of the AEGIS draft

Hi all,



A new revision of the draft on the AEGIS family of authenticated encryption algorithms was recently published.



AEGIS is an AEAD designed for high performance applications, with significant advantages over AES-GCM:

- Fast. 2x to 4x faster than AES-GCM on CPUs with AES pipelines. Software implementations also tend to be faster

- Very simple to implement securely and efficiently using only the AES forward round function

- Reduced memory usage: doesn’t require precomputing a key schedule nor powers of the MAC key to achieve optimal performance

- Large nonce size (128 bits for AEGIS-128L, 256 bits for AEGIS-256)

- Better security bounds

- Context committing

- Backtracking resistant



In addition to internal deployments, AEGIS is already deployed in OVH routers, in the Linux kernel and in VPN software.



Multiple implementations exist (C, C++, Rust, Zig, Python, Go, Assembly), most of them having been written independently, using only the specification:

https://github.com/jedisct1/draft-aegis-aead#known-implementations<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-3b0fdf065dc1e6ef&q=1&e=c68cc6f1-dbc0-4c3d-8ff6-e92a201f6a59&u=https%3A%2F%2Fgithub.com%2Fjedisct1%2Fdraft-aegis-aead%23known-implementations>

In addition to reference code and to the specification, Google’s Project Wycheproof includes an extensive set of test vectors for AEGIS.



For evaluation purposes, AEGIS can be used as an alternative to AES-GCM in the context of TLS.

In order to ensure interoperability, IANA has assigned identifiers for AEGIS-based cipher suites.

There is a maintained fork of BoringSSL that supports these cipher suites. The TLS stack of the Zig standard library also supports these suites out of the box.



Feedback would be very useful. We would love to see this document move forward.



Direct links to the draft:

- latest version (editor’s copy): https://jedisct1.github.io/draft-aegis-aead/#go.draft-irtf-cfrg-aegis-aead.html<https://protect2.fireeye.com/v1/url?k=31323334-501d5122-313273af-454445555731-7d2fee82ec540a8d&q=1&e=c68cc6f1-dbc0-4c3d-8ff6-e92a201f6a59&u=https%3A%2F%2Fjedisct1.github.io%2Fdraft-aegis-aead%2F%23go.draft-irtf-cfrg-aegis-aead.html>

- datatracker page: https://datatracker.ietf.org/doc/draft-irtf-cfrg-aegis-aead



Kind regards,



-Frank.

v2.23.0 | Report a Bug | By Email